diff options
| author | tb <> | 2026-03-28 11:49:31 +0000 |
|---|---|---|
| committer | tb <> | 2026-03-28 11:49:31 +0000 |
| commit | f3cceccc18dfd4f96044df85f30c117f39b9cc9f (patch) | |
| tree | 27ec53e2e4a96375c9a16b7ded8aa7906234a0d6 /src/lib | |
| parent | cb80f3489708580ad1f1d4b027d1c0b23fa3f15a (diff) | |
| download | openbsd-f3cceccc18dfd4f96044df85f30c117f39b9cc9f.tar.gz openbsd-f3cceccc18dfd4f96044df85f30c117f39b9cc9f.tar.bz2 openbsd-f3cceccc18dfd4f96044df85f30c117f39b9cc9f.zip | |
libtls: const workarounds for X509_NAME in OCSP for OpenSSL 4
The API to look up a cert by subject or issuer name clearly only needs to
do name comparisons in a collection of certs so should by all means take a
const X509_NAME * as an argument. However, this isn't all that easy to do
and hence it's only in OpenSSL 4 that this obvious step was reached.
This means that there is no way around casting for older code. One could
cast the return value of X509_get_issuer_name() or the argument passed to
the two lookups by subject. jsing slightly prefers the second approach,
so this is what we do here.
ok djm jsing kenjiro
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libtls/tls_ocsp.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c index bfd06e3c6a..c65911920a 100644 --- a/src/lib/libtls/tls_ocsp.c +++ b/src/lib/libtls/tls_ocsp.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_ocsp.c,v 1.26 2024/03/26 06:24:52 joshua Exp $ */ | 1 | /* $OpenBSD: tls_ocsp.c,v 1.27 2026/03/28 11:49:31 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2015 Marko Kreen <markokr@gmail.com> | 3 | * Copyright (c) 2015 Marko Kreen <markokr@gmail.com> |
| 4 | * Copyright (c) 2016 Bob Beck <beck@openbsd.org> | 4 | * Copyright (c) 2016 Bob Beck <beck@openbsd.org> |
| @@ -130,7 +130,7 @@ static OCSP_CERTID * | |||
| 130 | tls_ocsp_get_certid(X509 *main_cert, STACK_OF(X509) *extra_certs, | 130 | tls_ocsp_get_certid(X509 *main_cert, STACK_OF(X509) *extra_certs, |
| 131 | SSL_CTX *ssl_ctx) | 131 | SSL_CTX *ssl_ctx) |
| 132 | { | 132 | { |
| 133 | X509_NAME *issuer_name; | 133 | const X509_NAME *issuer_name; |
| 134 | X509 *issuer; | 134 | X509 *issuer; |
| 135 | X509_STORE_CTX *storectx = NULL; | 135 | X509_STORE_CTX *storectx = NULL; |
| 136 | X509_OBJECT *obj = NULL; | 136 | X509_OBJECT *obj = NULL; |
| @@ -141,7 +141,8 @@ tls_ocsp_get_certid(X509 *main_cert, STACK_OF(X509) *extra_certs, | |||
| 141 | goto out; | 141 | goto out; |
| 142 | 142 | ||
| 143 | if (extra_certs != NULL) { | 143 | if (extra_certs != NULL) { |
| 144 | issuer = X509_find_by_subject(extra_certs, issuer_name); | 144 | issuer = X509_find_by_subject(extra_certs, |
| 145 | (X509_NAME *)issuer_name); | ||
| 145 | if (issuer != NULL) { | 146 | if (issuer != NULL) { |
| 146 | cid = OCSP_cert_to_id(NULL, main_cert, issuer); | 147 | cid = OCSP_cert_to_id(NULL, main_cert, issuer); |
| 147 | goto out; | 148 | goto out; |
| @@ -155,7 +156,7 @@ tls_ocsp_get_certid(X509 *main_cert, STACK_OF(X509) *extra_certs, | |||
| 155 | if (X509_STORE_CTX_init(storectx, store, main_cert, extra_certs) != 1) | 156 | if (X509_STORE_CTX_init(storectx, store, main_cert, extra_certs) != 1) |
| 156 | goto out; | 157 | goto out; |
| 157 | if ((obj = X509_STORE_CTX_get_obj_by_subject(storectx, X509_LU_X509, | 158 | if ((obj = X509_STORE_CTX_get_obj_by_subject(storectx, X509_LU_X509, |
| 158 | issuer_name)) == NULL) | 159 | (X509_NAME *)issuer_name)) == NULL) |
| 159 | goto out; | 160 | goto out; |
| 160 | 161 | ||
| 161 | cid = OCSP_cert_to_id(NULL, main_cert, X509_OBJECT_get0_X509(obj)); | 162 | cid = OCSP_cert_to_id(NULL, main_cert, X509_OBJECT_get0_X509(obj)); |